//some 3rd party need geo

3rd Party Extra Toolbar on XP - Cannot Remove It

  Poloman69 17:45 06 Dec 04
Locked

I have somehow had a new 3rd party toolbar applied onto my computer - without consent, and cannot remove it. I have tried Ad-aware, Spybot, Spywareblaster, CWShredder etc, and still cannot get rid of it.

It originated from www. search-control.com which i had never visited, but it also keeps adjusting my homepage to it's host.

My internet security functions are set as high as possible because i have kids and don't want them looking at adult content.

The extea toolbar functions are:

Catalog, Pharmacy, Gambling, Casino, Finance, Insurance, Adult, Dating, Computers, Travel

Does anyone now how to get rid of it?


I have done a virus check also to see if it was due to a potential replicating virus. One virus came up named under a 'spm1316.dll' file under my system32 files - description was a potentially unwanted program (Adware), and i cannot clean it, fix it or delete this.

Could this be the originating problem? If yes - any ideas of how to delete the file??

  JoeC 19:30 06 Dec 04
  Jeffers22 19:34 06 Dec 04

Download HijackThis from click here Extract the program to it's own folder which you will need to create in C:\Program Files. Run it and post a log here (double space it) - you will need to post it in two parts because of the 800 word limit. One of the experts will pick up on it and advise.

  Nellie2 21:05 06 Dec 04

If you want to post a hijack log as Jeffers22 suggests then I will take a look for you.

  Poloman69 21:33 06 Dec 04

Just downloading the program now - will post the log very soon.

Searching the internet it seems quite a few people have had the same problem with www. search-control.com. Can anything be done to shut them down?

  Poloman69 21:35 06 Dec 04

Here's the log

Logfile of HijackThis v1.97.7
Scan saved at 21:34:20, on 06/12/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\system32\shell32s.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\shell32s.exe
C:\Program Files\McAfee.com\VSO\mcmnhdlr.exe
c:\program files\mcafee.com\shared\mghtml.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\SpywareBlaster\spywareblaster.exe
C:\Downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = click here
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = click here
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = click here
F0 - system.ini: Shell=Explorer.exe shell32s.exe
F2 - REG:system.ini: Shell=Explorer.exe shell32s.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Tubby - {9EAC0102-5E61-2312-BC2D-544243544243} - C:\WINDOWS\System32\TBC.dll
O2 - BHO: (no name) - {CF021F40-3E14-23A5-CBA2-7173706D1316} - C:\WINDOWS\System32\spm1316.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Search Toolbar - {9EAC0102-5E61-2312-BC2D-544243544243} - C:\WINDOWS\System32\TBC.dll
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\RunServices: [Yahoo Messenger] YPager.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=click here
O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\ied_s7.cab
O16 - DPF: {11111111-1111-1111-1111-511111113457} - file://c:\x.cab
O16 - DPF: {11111111-1111-1111-1111-511111113458} - file://c:\x.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - click here
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - click here
O17 - HKLM\System\CCS\Services\Tcpip\..\{71C64850-B072-48C1-9A72-4414A8E6B886}: NameServer = 193.38.113.3 194.117.157.4

  Poloman69 21:37 06 Dec 04

I'll do it again as you need to see the 'click here bits'

Logfile of HijackThis v1.97.7
Scan saved at 21:34:20, on 06/12/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\system32\shell32s.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\shell32s.exe
C:\Program Files\McAfee.com\VSO\mcmnhdlr.exe
c:\program files\mcafee.com\shared\mghtml.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\SpywareBlaster\spywareblaster.exe
C:\Downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http:// dial.blueyonder.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http:// click here
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http:// dial.blueyonder.co.uk/
F0 - system.ini: Shell=Explorer.exe shell32s.exe
F2 - REG:system.ini: Shell=Explorer.exe shell32s.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Tubby - {9EAC0102-5E61-2312-BC2D-544243544243} - C:\WINDOWS\System32\TBC.dll
O2 - BHO: (no name) - {CF021F40-3E14-23A5-CBA2-7173706D1316} - C:\WINDOWS\System32\spm1316.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Search Toolbar - {9EAC0102-5E61-2312-BC2D-544243544243} - C:\WINDOWS\System32\TBC.dll
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\RunServices: [Yahoo Messenger] YPager.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http:// dial.blueyonder.co.uk/
O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\ied_s7.cab
O16 - DPF: {11111111-1111-1111-1111-511111113457} - file://c:\x.cab
O16 - DPF: {11111111-1111-1111-1111-511111113458} - file://c:\x.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http:// v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1101837026460
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http:// download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{71C64850-B072-48C1-9A72-4414A8E6B886}: NameServer = 193.38.113.3 194.117.157.4

  Poloman69 21:41 06 Dec 04

Logfile of HijackThis v1.97.7
Scan saved at 21:34:20, on 06/12/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\system32\shell32s.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\shell32s.exe
C:\Program Files\McAfee.com\VSO\mcmnhdlr.exe
c:\program files\mcafee.com\shared\mghtml.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\SpywareBlaster\spywareblaster.exe
C:\Downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http:// dial.blueyonder.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http:// click here
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http:// dial.blueyonder.co.uk/
F0 - system.ini: Shell=Explorer.exe shell32s.exe
F2 - REG:system.ini: Shell=Explorer.exe shell32s.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Tubby - {9EAC0102-5E61-2312-BC2D-544243544243} - C:\WINDOWS\System32\TBC.dll
O2 - BHO: (no name) - {CF021F40-3E14-23A5-CBA2-7173706D1316} - C:\WINDOWS\System32\spm1316.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Search Toolbar - {9EAC0102-5E61-2312-BC2D-544243544243} - C:\WINDOWS\System32\TBC.dll
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\RunServices: [Yahoo Messenger] YPager.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http:// dial.blueyonder.co.uk/
O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\ied_s7.cab
O16 - DPF: {11111111-1111-1111-1111-511111113457} - file://c:\x.cab
O16 - DPF: {11111111-1111-1111-1111-511111113458} - file://c:\x.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http:// v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1101837026460
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http:// download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{71C64850-B072-48C1-9A72-4414A8E6B886}: NameServer = 193.38.113.3 194.117.157.4

  Poloman69 21:45 06 Dec 04

the 'click here' bit in blue is the url for www. search-control .com site

  Nellie2 21:50 06 Dec 04

you are using and out of date version of hijackthis, can you delete the copy you have and download version 1.98.2 from click here

Don't worry about the click here bits... all I ask is that anyone having a look at these threads don't click on the click here's

  Poloman69 22:02 06 Dec 04

Downloading now - will re-post new one below:

This thread is now locked and can not be replied to.

What is Google Allo? What is Google Duo? Google Allo UK release date rumours and features: Google…

1995-2015: How technology has changed the world in 20 years

These clever designs help visualise a complex intelligence tool

iOS 10 troubleshooting tips: Simple fixes for the most common iOS 10 problems, from network…